Unwrapping the Biometrics Mystique By Lisa Terry, Contributing Editor, VSR
It's right up there with RFID: biometrcs is a technology wrapped in mystique, admired for its power -- and largely avoided because of costs and public misunderstanding.
While most commercial applications were busy ignoring biometrics, the technology has grown more sophisticated, cheaper, and is on the road to being standardized. The Federal government is a big fan, helping to drive the use of biometrics for physical and logical access control and security. As interest in two- or even three-factor identification soars, striving to meet at least two of the "what you have, what you know, and what you are" categories, biometrics fill the latter quite nicely; biometrics are the one credential that's difficult to lose.
Despite these gains, the biometrics industry has experienced its share of challenges. "The biometric market spiked, then leveled off with all the hot button issues," such as privacy concerns, says Edward Hendricks Jr., southern sales manager for Keri Systems, a San Jose, Calif.-based security system manufacturer of facility access control, video security and employee ID systems. "Down the road, especially as the costs come down, and more reliable technology (emerges), we'll see another spike."
Biometric format standards including FIPS 140-2 Level 2 and HSPD-12 have helped adoption, but efforts toward interoperability are slow going, limiting choice and driving up costs. Public mistrust continues, and recent financial data breaches do nothing to assure consumers of the sanctity of their biometric data, even if it's stored only on a card they possess. Costs still don't rival those of other security approaches.
So while it seems destined to remain a niche technology for some time to come, there are situations in which biometrics' strengths make for an ideal component of a highly secure access control system. Here's what VARs already drawn into the security arena (through its transition to IP) need to know about biometrics and access control.
Where Biometrics Fits In
Biometrics can often be cost-justified for highly secure facilities or portions of facilities such as data centers, research labs, intellectual property repositories, high-value or sensitive goods storage areas, telephone rooms and other sensitive data areas. Some warehouses have used biometrics to authenticate users of heavy equipment such as forklifts. Mobile computers are also being equipped with biometric readers to associate high-value transactions with specific pickers. For example, Motorola's MC70 or MC75 offer an optional fingerprint reader, says Peggy Lane, government business development manager-Motorola at BlueStar. Governments also use these to verify identities for eCitations, fish and game licenses or to authenticate workers at a crime scene.
One retail customer of Brivo, a Bethesda, Md.-based company, which markets security via a Managed Services business model, tried card and PIN technologies to secure a storeroom for high-value goods, but had issues with workers borrowing each other's cards. So Brivo installed an integrated fingerprint-based access control system and video solution to track movement in and out, with all of the data remotely accessible to loss prevention via the Internet. "If you prevent the theft of a single flat-screen TV, you've more than covered the cost of a fingerprint reader," says Steve Van Till, Brivo's president and CEO.
Smart cards have displaced proximity cards as the most popular credential for access control. Among the benefits is the ability to carry biometric data right on the card; while many customers initially want a biometric-only system, they're usually dissuaded by privacy issues, and the implications of storing and accessing biometric data. Putting the biometric on a card speeds authentication, protects privacy, and suits applications with many users. It also eliminates help desk costs to reset PINS and passwords.
More recently, USB encrypted flash drives are fulfilling this role, such as MXI Security's Stealth MXP and Outbacker MXP, which incorporate a thumb swipe and biometric software on the device, along with features supporting VPN security, laptop data encryption, network access security, simplified password management and more. "You can secure the laptop data as well as encrypt the file...it's one product that can do the total convergence of many technologies," such as hardware encryption or PKI keys, says Ian McKay, general manager of MXI Security.
Aladdin Knowledge Systems, a worldwide provider of USB-based authentication solutions, offers its Aladdin eToken, which can store biometric and other security data. The device is commonly used for both physical and logical access control, from door access to payments to sign-ons, says Chen Arbel, VP for Aladdin North America. A consumer version is currently under development.
Biometrics have been adopted for logical access control at a slower pace than physical. A biometric fingerprint scanner is offered as an option on several PC and laptop models, but adoption is slow. AT&T recently furnished its sales reps with Fujitsu laptops including a biometric reader and BIO-key International's fingerprint identification software.
The cost of a biometric system varies, but generally there is still a premium over card-based access control systems. A single-door installed and complete fingerprint reader-based system is often in the $3,400 to $4,500 range, according to Keri Systems, while an iris version could be $10,000. Fingerprint readers themselves have stayed at around the $500 price point, but the $500 that once purchased a 1-to-many solution pays for a 1-to-1 device, which costs far less to operate.
Another trend is using multiple biometrics together for highly secure applications, says Jonathan Collins, principal analyst at ABI Research.
Biometrics have long had a "gee whiz" image, which has been well-exploited in various television shows and movies. Among today's cutting-edge experiments are cell phones that use motion sensors to record and verify a user's walking
pattern of movement, or gait. The device then periodically checks to see that it is still in the possession of its legitimate owner.
Similarly, cell phones may use biometric interfaces to help direct their use. According to a patent filed by Apple, its Multi-Touch design uses voice, biometric and facial inputs along with touch interactions to create and signal action commands.
Facial recognition is also gaining traction in the biometrics space. This technology is used to automatically identify or verify a person from a digital image or a video frame. Facilities with extremely tight security needs might use both mega-pixel video surveillance and access control systems. The video can be used for facial recognition as a biometric, or simply to record images of users entering a door using another access control system. This biometric works best to confirm a single individual -- but not to identify a person in a crowd.
Other essential trends in the security space include the migration to IP-based solutions and the use of Power over Ethernet to power security devices. Single credential solutions, where the same token is used for physical and logical access, are rapidly growing in popularity.
What VARs Need to Know
"Biometrics can be a pretty straightforward to install now," says Brad Jarvis, vice president of product marketing for HID Global, which is known for its contactless access control cards and readers. Selecting the appropriate biometric and assessing anticipated return on investment for a proposed biometric access control solution means taking into account several factors:
Regulations, such as HIPPA in health care, SOX for financial records and controlled substance regulations affecting pharmaceuticals. "There is a new regulation in the banking industry enforcing 2-factor identification to their online user installed base to do secure online banking without a footprint," says Aladdin's Arbel. Tobacco, a controlled substance, also uses biometrics for chain of custody throughout the supply chain, adds Dave Adams, marketing director, logical and physical access, for HID.
"Look for any contractual requirements to audit and validate security, especially if there are government contracts," says HID's Jarvis.
Presence of high-value or sensitive data or goods such as consumer electronics, firearms, controlled substances -- these may be housed in a secure, inner area of a facility.
Risk management cost/benefit analysis, says Brivo's Van Till. Consider the assets to be protected and the risk of a breech. "If the solution is significantly less than an exposure it makes sense."
Do your research into the levels of fraud as it pertains to the potential client's industry, suggests BlueStar's Lane.
Biometrics can also be the answer in environments where other security methods have failed; credentials were counterfeited, etc.
When specifying a biometric, it's essential to take the environment and processes into account, such as need for flow-through or harsh conditions. Given all there is to know, getting involved in biometrics means taking a fairly deep dive into the subject matter, or partnering with a security VAR with biometric experience.
"You still need a fairly good understanding of the technology and how it's used," says HID's Adams. "You could probably give yourself a black eye if you deploy incorrectly."
With cases of both physical and data loss on the rise, more situations may merit a biometric today. "Physical security is still a good, strong market, despite the downturn in the economy," says Paul Constantine, VP of merchandising for ScanSource Security.
It's right up there with RFID: biometrcs is a technology wrapped in mystique, admired for its power -- and largely avoided because of costs and public misunderstanding.
Where Biometrics Fits In
